insider threat - dashlane · 2021. 1. 19. · insider data threats present another layer of...

PRESENTED BY

INSIDER THREAT2018 REPORT

INSIDER THREAT2 0 1 8 R E P O R T

TABLE OF CONTENTSINTRODUCTION

KEY SURVEY FINDINGS

INSIDER THREAT

DETECTION

INSIDER THREAT PROGRAM

SPONSOR OVERVIEW

METHODOLOGY & DEMOGRAPHICS

3

4

5

16

24

32

34

The resulting Insider Threat Report is the most

comprehensive research on the topic to date, revealing

how IT and security professionals are dealing with risky

insiders and how organizations are preparing to better

protect their critical data and IT infrastructure.

We would like to thank Dashlane for supporting this

research.

In addition, we want to thank all survey participants who

provided their time and input in support of this study.

We hope you will enjoy reading this report.

Thank you,

Holger Schulze

INTRODUCTIONToday’s most damaging security threats

are not originating from malicious

outsiders or malware but from trusted

insiders - both malicious insiders

and negligent insiders. This survey is

designed to uncover the latest trends

and challenges regarding insider threats

as well as solutions to prevent or

mitigate insider attacks.

Our 400,000 member online

community, Cybersecurity Insiders,

in partnership with the Information

Security Community on LinkedIn, asked

Crowd Research Partners to conduct

an in-depth study of cybersecurity

professionals to gather fresh insights,

reveal the latest trends, and provide

actionable guidance on addressing

insider threat.

32018 INSIDER THREAT REPORT

Holger Schulze

CEO and FounderCybersecurity Insiders

[email protected]

https://www.dashlane.com/business?utm_source=metatarget&utm_medium=paid_content&utm_content=cobranded&utm_campaign=insiderthreat_Nov2017mailto:Holger.Schulze%40Cybersecurity-Insiders.com%20?subject=https://cybersecurity-insiders.com

2018 INSIDER THREAT REPORT 4

Ninety percent of organizations feel vulnerable to insider attacks. The main enabling risk factors include too

many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data

(36%), and the increasing complexity of information technology (35%).

A 53% majority have confirmed insider attacks against their organization in the previous 12 months (typically less

than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent.

Organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods

(58%), and analysis and post breach forensics (49%). The use of user behavior monitoring is accelerating; 94% of

organizations deploy some method of monitoring users and 93% monitor access to sensitive data.

The most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity

and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection

Prevention Solutions (IDPS), log management and SIEM platforms.

The vast majority (86%) of organizations already have or are building an insider threat program. Thirty-six percent

have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

1

2

3

4

5

KEY SURVEY FINDINGS

INSIDER THREAT


Too often, people associate the term “Insider Threats” in cybersecurity with malicious employees intending to directly harm the company through theft or sabotage. In truth, negligent employees or contractors unintentionally cause an equally high number of security breaches and leaks by accident. In this year’s survey, companies are equally worried about accidental/unintentional data breaches (51%) through user carelessness, negligence or compromised credentials as they are from deliberate malicious insiders (47%).

NATURE OF INSIDER THREATS

What type of insider threats are you most concerned about?

Not sure2%

11001010110010101

1100101011001010111001010110010101

010PASSWORD10

Malicious/deliberate insider

(e.g. willfully causing harm)

Accidental/unintentionalinsider(e.g. carelessness, negligence

or compromised credentials)

51%47%


Security professionals have a unique responsibility to detect counter and respond to cyber attacks. This job becomes increasingly more challenging when threats come from within the organization from trusted and authorized users. It is often difficult to determine when users are simply doing their job function or actually doing something illegal or unethical. The survey indicated both regular employees (56%) and privileged IT users (55%) pose the biggest insider security risk to organizations, followed by contractors (42%).

RISKY INSIDERS

What type(s) of insiders pose the biggest security risk to organizations?*

Privilegedbusiness users/executives

42%

56%Customers/clients

None

Not sure/otherContractors/service providers/

temporary workers

55%Privileged ITusers/admins

Regular employees

29%

22%

2%

6%

*Multi-response questions do not add up to 100%


Data is no longer just an IT asset; it’s a core strategic asset and some types of data are more valuable than others. Confidential business information, which encompasses company financials along with customer and employee data, is a highly strategic asset and equally a high-value target. Again this year, confidential business information (57%) takes the top spot as most vulnerable to insider attacks, followed by privileged account information (52%), and sensitive personal information (49%).

MOST VULNERABLE DATA

What type(s) of data are most vulnerable to insider attacks?

57%

49%52% Employee

data

31%

Not sure/other 1%

Intellectualproperty

(Financials, customer data, employee data)

(Credentials,passwords, etc.)

(PII/PHI) (Trade secrets,research product

designs)

(HR)

Operational/infrastructure

data

27%

(Network,infrastructure

controls)

Confidentialbusiness information

Privilegedaccount

information

Sensitive personalinformation

32%


Cybercriminals see a greater opportunity in targeting where corporate data is located in volume. Databases (50%) and corporate file servers (46%) pose the highest risk. In this year’s survey, mobile devices are perceived as a lesser target and least vulnerable (25%).

IT ASSETS AT RISK

What IT assets are most vulnerable to insider attacks?

50%

46%

39%

33%

32%

30%

36%

Databases

File servers

Cloud applications

Cloud infrastructure

Endpoints

Network

Active directory

Business applications

Mobile devices

29%

25%


The most common culprit of insider threat is accidental exposure by employees. Cybersecurity experts view phishing attempts (67%) as the biggest vulnerability for accidental insider threats. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact and they often contain malware attachments or hyperlinks to compromised websites.

ACCIDENTAL INSIDERS

What do you see as the biggest enabler of accidental insider threats?

56%

67%

44% 32%

Phishingattempts

Weak/reusedpasswords

44%Unsecured

WiFi networksBad password

sharing practiceUnlockeddevices


The survey reveals cybersecurity professionals perceive the following three responses as the top enablers for insider attacks: too many users with excessive access privileges (37%), increasing number of devices with access to sensitive data (36%), and technology becoming more complex (35%).

ENABLING RISK FACTORS

What do you believe are the main enablers of insider attacks?

Too many userswith excessive access

privileges

Increasing numberof devices with access

to sensitive data

Technology isbecoming more

complex

37% 36% 35%

Increasing amountof sensitive data

34%

Lack of employeetraining/awareness

31%

Insufficient data protection strategies or solutions 30% | Data increasingly leaving the network perimeter via mobile devices and web access 29% | Increased visibility of insider threats that were previously undisclosed 28% | Increasing use of cloud apps and infrastructure 28% | More employees, contractors, partners accessing the network 27% | More frustrated employees/contractors 19% | Not sure/others 8%


We asked cybersecurity professionals to assess their organization’s vulnerability to insider threats. Ninety percent of organizations feel vulnerable. Only six percent say they are not at all vulnerable to an insider attack.

VULNERABILITY TO INSIDER THREAT

How vulnerable is your organization to insider threats?

90%feel vulnerableto insider threats

Extremely vulnerable Slightly vulnerable

Very vulnerable Not at all vulnerable

Moderately vulnerable Cannot disclose/not sure

13%

43%

28%

6%

6%4%


Looking back, 33% of organizations experienced five or less insider attacks in the last 12 months, while 20% experienced six or more attacks.

Twenty-seven percent say their organizations have experienced more frequent insider threats in the last 12 months. Nearly half of the security professionals (46%) polled believe the frequency of insider attacks has remained at the same levels while 21% say the frequency has decreased.

RECENT INSIDER ATTACKS

How many insider attacks did your organization experience in the last 12 months?

Have insider attacks against your organization become more or less frequent over the last 12 months?

None/not sure 47%

1-5 6-10

33%8%

Morethan 20

4%

11-20

8% Morefrequent27%

Same

46%

Not sure 6%

Less frequent21%


Two-thirds of organizations (66%) consider malicious insider attacks or accidental breaches more likely than external attacks.

Forty-four percent of organizations perceive all (malicious, external and accidental) attacks are as equally damaging, while 31% believe malicious /deliberate insider attacks are more damaging than external attacks (14%). The low weight placed on accidental insider breaches (11%) seems too low, perhaps underestimating the potential damages.

IMPACT OF INSIDER ATTACKS

What threat do you consider most LIKELY to happen to your organization?

What threat do you consider more DAMAGING to your organization?

Externalattack

34%Malicious/deliberateinsider attack

36%

Accidental/unintentionalinsider breach

30%DONWLOAD

All attacks would beequally damaging

Malicious/deliberateinsider attack

Externalattack

Accidental/unintentionalinsider breach 11%

14%

31%

44%


While true cost of a major security incident are not easy to determine, the most common estimate is a range of $100,000 to $500,000 per successful insider attack (27%). Twenty-four percent expect damages to exceed $500,000.

COSTLY INSIDER ATTACKS

What would you estimate is the potential cost/loss of an insider attack in US Dollars?

< $100K No valueof loss

Not sure

10%

27%

16%

3%

23%

$100Kto $500K

$500Kto $1M

$1M to$2M

> $2M

12%9%


DETECTION


Insider data threats present another layer of complexity for IT professionals to manage, requiring careful planning with regards to access controls, user permissions and monitoring user actions. Fifteen percent of organizations said they do not have adequate controls in place.

The good news is security practitioners realize that advanced detection and prevention are key; the majority of respondents (73%) have implemented security controls and policies to deal with impeding threats.

INSIDER RISK CONTROLS

Does your organization have the appropriate controls to detect and prevent an insider attack?

73%

15%

12% YESNot sure

NO


An organization’s control framework is the set of safeguards, separation of duties and recommended actions for IT professionals to use to minimize security risks and exposure. We asked security practitioners what security controls they use to deal with inevitable insider threats. Data Loss Prevention (DLP) (60%) and encryption of data (at rest, in motion, in use) (60%) were both tied for the top spot. Respondents said Identity and Access Management (IAM) (56%), and endpoint and mobile security (50%) were also deployed to avert insider attacks.

DETERRENCE CONTROLS

What controls do you have in place to deter insider threats?

Enterprise Digital Rights Management Solutions (E-DRM) 29% | Privileged account vault 27% | Other 1%

60%

56% 29%

(IAM)(CASB)

Data Loss Prevention(DLP)

60%Encryption of data

(at rest, in motion, in use)

Identity andAccess Management

50%Cloud AccessSecurity Broker

Endpoint andmobile security


There are numerous methods and security tools available to help cybersecurity professionals detect and analyze insider attacks. A vast majority of the respondents identified the use of more than one security tool in their organization. By merging and analyzing these disparate sources, organizations are better able to deal with security breaches. The survey concluded that most insider exploits are detected through Intrusion Detection and Prevention System (IDS/IPS) (63%), Log Management (62%), and Security Information and Event Management (SIEM) (51%) tools.

DETECTION CONTROLS

What controls do you have in place to detect and analyze insider attacks?

63%62% 40%

Intrusion Detectionand Prevention System(IDS/IPS)

Log management

51%Predictiveanalytics

Security Informationand Event Management(SIEM)

User and Entity Behavioral Analytics (UEBA) 39% | Other 2%


Identification, tracking and monitoring of key assets and system resources can help avert or limit an organization’s exposure to insider attacks. When security professionals manage and monitor their key assets, they are able to react faster and with more precision to mitigate incidents. More than three-fourths (78%) of respondents inventory and monitor all or the majority of their key assets.

An overwhelming majority (93%) of organizations monitor access to sensitive data. The level of monitoring varies; 47% continuously monitor data access and movement to proactively identify threats. Remarkably, five percent do not monitor data access and movement at all.

MONITORING OF SENSITIVE ASSETS

Do you monitor key assets and system resources? Do you monitor access to sensitive data?

Yes, all key assets areinventoried and monitored

Yes, a majority of key assets areinventoried and monitored

Yes, but less than 50% of key assetsare inventoried and monitored

No, we have not completedthe inventory of key assets

Key asset management is notpart of our security posture

Not sure/other

10%

5%

7%

42%

36%

Yes, but access logging only

Yes, we continuously monitordata access and movement and

proactively identify threats

Yes, but only under specificcircumstances (e.g., shadowing specific

databases or files)

No, we don’t monitor data accessand movement at all

Yes, but only after an incident(e.g., forensic analysis)

Not sure

24%

8%

5%

2%

14%

47%

Yes, all key assets areinventoried and monitored

Yes, a majority of key assets areinventoried and monitored

Yes, but less than 50% of key assetsare inventoried and monitored

No, we have not completedthe inventory of key assets

Key asset management is notpart of our security posture

Not sure/other

10%

5%

7%

42%

36%


Yes, we continuously monitordata access and movement and

proactively identify threats

Yes, but only under specificcircumstances (e.g., shadowing specific

databases or files)

No, we don’t monitor data accessand movement at all


Not sure

24%

8%

5%

2%

14%

47%


The increasing volume of insider threats have caused cybersecurity professionals to take more action and deploy User Behavior Analytics (UBA) tools and solutions to help detect, classify and alert anomalous behavior. The number of organizations monitoring their user behavior has increased significantly compared to last year (94% this year compared to 42% last year). The number of organizations that don’t monitor their users dropped from 21% last year to only six percent this year.

In this year’s survey, respondents said that they leverage User Activity Monitoring (UAM) (44%) as their top solution to manage user behavior within core applications, followed closely by the use of server logs (42%). Eight percent of respondents have no visibility at all, a decrease from last year of five points, which signals that organizations are investing in tools and resources to have better visibility into user activity.

INSIDER MONITORING

Do you monitor user behavior? What level of visibility do you have into user behavior within core applications?

15%

6%

5%

1%

44%

29%

Rely on server logs

No visibility at all

Have deployed keylogging and/orsession recording

Have deployed useractivity monitoring

In-app audit system/feature

Not sure

8%

3%

44%

42%

32%

26%


Yes, we use automated tools tomonitor user behavior 24x7

No, we don’t monitor user behavior at all

Yes, but only under specific circumstances(e.g., shadowing specific users)


Not sure/other

15%

6%

5%

1%

44%

29%

Rely on server logs

No visibility at all

Have deployed keylogging and/orsession recording

Have deployed useractivity monitoring

In-app audit system/feature

Not sure

8%

3%

44%

42%

32%

26%


Yes, we use automated tools tomonitor user behavior 24x7

No, we don’t monitor user behavior at all

Yes, but only under specific circumstances(e.g., shadowing specific users)


Not sure/other


Every organization must be vigilant when it comes to data protection. Not all insider threats are malicious; some are the result of an honest mistake or careless employee behavior. Monitoring allows cybersecurity professionals to decrease their risk exposure by quickly detecting unusual employee system activity. Ninety percent of the respondents believe that it is necessary to monitor access to the organization’s sensitive data.

Identification of high-risk insiders is a key part of a threat prevention strategy. One way to identify these individuals is to profile their behavior and work patterns. Hostility toward other employees, late or excessive missing work, undue work outside normal work hours, and declining performance are just some of the indicators. Organizations surveyed strongly believe it is necessary to identify high-risk insiders based on their behaviors (88%).

INSIDER MONITORING

Do you think it’s necessary to monitor and profile how insiders are accessing your sensitive data?

Do you think it’s necessary to identify high-risk insiders based on their behaviors?

3%

90%

NO

7% Not sure

YES

88%YES

6%NO6% Not sure

3%

90%

NO

7% Not sure

YES

88%YES

6%NO6% Not sure


The number of organizations that do not leverage threat analytics continues to decline year after year. This year, only 14% of respondents said they do not use analytics, compared to 30% last year.

ADOPTION OF ANALYTICS

Does your organization leverage analytics to determine insider threats?

33%

Yes – security analytics

Yes – data access and movement analytics

No

Not sure

Yes - user behavior analytics

Yes - activity management and summary reports

Yes - predictive analytics

46%

38%

32%

14%

7%

55%


INSIDER THREAT PROGRAM


Organizations are shifting their focus on detection of internal threats. In this year’s survey, detection (64%) surpassed deterrence methods (58%) to take the top spot, followed by analysis and post breach forensics (49%).

FOCUS ON DETECTION

What aspect(s) of insider threat management does your organization primarily focus on?

Deterrence(e.g., access controls,

encryption, policies, etc.)

Detection(e.g., user monitoring,

IDS, etc.)

41% 28%Post breach remediation(e.g., back-up/disaster recovery, etc.)Deception(e.g., honeypots, etc.)

Analysis and post breach forensics (e.g., SIEM, log analysis, etc.)

64% 49%58%


The survey reveals that organizations have recognized the growing significance of insider threats and are investing resources to develop comprehensive incident response plans. A vast majority (86%) of organizations have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

INSIDER PROGRAM MATURITY

How would you rate the maturity of your insider threat program?

Maturing(We are developinga formal program forinsider theats)

Mature(We have a formal threat

detection, auditingand incident responseprogram for insiders)

4%Not sure

Immature(We have no formal program)

36% 50%

10%


A majority of respondents surveyed (81%) say their organizations are moderately to very effective when it comes to addressing insider threat prevention and detection. Thirteen percent expressed that their organization’s insider threat programs are ineffective, while six percent do not have a program in place.

INSIDER THREAT CONFIDENCE

How effective do you consider your insider threat prevention and detection methods?

Very effective

think their organizations are moderatelyto very effective addressing insider threatprevention and detection

We don’t have aninsider threat program

Somewhat effective

Somewhat ineffective

Very ineffective

33%

48%

81%

6%

3%

10%


For the third year in a row, lack of training and expertise (52%) remain the biggest barriers to better insider threat management. Other barriers include the lack of suitable technology (43%), while tied for third place in this year’s survey are both lack of collaboration among departments (34%) and lack of budget (34%). Notably, lack of budget fell from second place last year to third this year.

BARRIERS TO INSIDER THREAT MANAGEMENT

What are the biggest barriers to better insider threat management?

#1 #2 #3

8% p.p.from last year

15% p.p.from last year

14% p.p. 16% p.p.from last year

#4

from last year

52% 43% 34% 34%

Lack of trainingand expertise

Lack of suitabletechnology

Lack of budgetLack of collaborationamong separate departments

Lack of staff 22% | Not a priority 10% | Not sure/other 5%


Detecting and preventing insider attacks are much more challenging than external breaches, as they are users with legitimate access that unwittingly create vulnerabilities or intend to maliciously exploit an organization’s cyber assets. Slightly more than one-fifth of respondents claim detection of insider threats is within minutes (22%), while 28% say within hours.

In this year’s survey, organizations are even more confident in their ability to quickly recover from insider attacks. Most organizations feel they could recover from an attack within a week (89%) up 18% from the previous year. Only two percent of companies believed they would never fully recover.

SPEED OF DETECTION & MITIGATION

How long does it typically take your organization to detect an insider attack?

How long does it typically take your organization to mitigate and stop an insider attack?

Within minutes

17%

22% 28% 26% 13%

32% 26% 11%

Within hours Within one day Within one week

Mitigation time

Not sure 8% Not sure 10%

Detection time

50% organizations detect aninsider attack within hours 49% organizations mitigate and stop aninsider attack within hours

3%

4%

Within one month


Looking ahead, close to half of the surveyed organizations (49%) expect budget increases. Forty-three percent expect their IT budgets to remain flat, while only one percent foresee their security funding shrinking. This is a marked improvement in budget outlook compared to last year’s survey.

Defending against security attacks is an ongoing challenge; cybersecurity professionals are equally concerned about the rise in the volume and frequency of both external and insider attacks. Forty-three percent of organizations allocate over eight percent of their IT security budget to preventing, detecting, and mitigating insider threats.

BUDGET TRENDS

How is your security budget changing over the next 12 months? How much of your IT security budget is devoted to preventing, detecting and mitigating insider threats?

43%49%

1%Budgetwill decline

Not sure 7%

Budget willstay flat

Budgetwill increase

7 p.p.from last year

0%

4%

24%

29%

14%

1-5% 6-7% 8-10% morethan 10%

29%


Having a well understood information security policy and documented procedures help protect organizations and reduce risk from both internal and external cyber threats. The primary policy-based insider threat management methods that organizations have in place are the use of company policies and training (68%), internal audits (63%), and background checks (56%).

Organizations realize that prevention and awareness are key cornerstones in the defense against insider security breaches; an overwhelming majority (82%) have implemented insider security programs.

INSIDER THREAT TRAINING

What administrative policies and procedures do you have in place for insider threat management?

Do you offer training to your employees and staff on how to minimize insider security risks?

Policies and training

Backgroundchecks

Information securitygovernance program

Whistleblowerprogram

Internalaudits

68%

63%

56%

50%

43%

27%

Dataclassification

YES

NO

Not sure

82%

13%

5%


SPONSOR OVERVIEW


SPONSOR OVERVIEW

Dashlane | www.dashlane.com

Dashlane, one of the world’s most trusted digital security companies, solves the #1 cybersecurity risk – weak and

stolen passwords – with its password manager app. Dashlane Business is trusted by 7,000+ companies to create,

enforce, and track effective access management, and features the only patented security architecture.

https://www.dashlane.com/business?utm_source=metatarget&utm_medium=paid_content&utm_content=cobranded&utm_campaign=insiderthreat_Nov2017https://www.dashlane.com/business?utm_source=MetaTarget&utm_medium=paid_content&utm_content=2017insiderthreatreport&utm_campaign=2017insiderthreatreport_cobranded


This research is based on the results of a comprehensive online survey of 472 cybersecurity professionals to gain deep insight into the insider threat faced by organizations and the solutions to detect, remediate, and prevent it. The respondents range from technical executives to managers and IT security practitioners, representing organizations of varying sizes across all industries.

METHODOLOGY & DEMOGRAPHICS

JOB TITLE

34% 25% 19% 9% 9% 4%

Director Manager/supervisor CTO, CIO, CISCO, CMO, CFO, COO Vice president Specialist Other

DEPARTMENT

IT Operations IT Security Other

COMPANY SIZE

Fewer than 100 100-999 1,000-4,999 5,000-10,000 Over 10,000

59% 30% 11%

5% 37% 27% 17% 14%

insider threat - dashlane · 2021. 1. 19. · insider data threats present another layer of...

Documents